[vox] Password NOT stolen at linuxworld
ME
vox@lists.lugod.org
Tue, 12 Aug 2003 02:45:29 -0700 (PDT)
Ryan Castellucci said:
[On the topic of system examination/post mortem]
> I would actualy like some help, if anyone is interested.
>
> The machine hasn't been cleaned yet, but as far as I can tell it was
> 0wned quite some time ago, and any logs on the breaking will have
> been rotated into /dev/null
If you have no log files, and the box is still running, and you have
access to mount other filesystem, you can go through proc and copy aps
loaded into memory to files in case processes were started from files that
were deleted.
This helps get you some data. The next step I would do (without logs) is
do md5sums on a few tools like lsof and others and comapre their sigs to
those of untainted systems, and then use lsof to see what ports are opened
by what services, and then find versions for those services and check a
snort db or other places to see if any have knonw/published exploits. This
would permit you to focus your attention upon the services that were
vulnerable. Examination of these for "side effects" of exploit (like odd
permissions to extra files/scripts in specific locations like /dev, /tmp,
/etc.)
Running active scanning IDS like snort would seem like a useful method for
external view of exposure, but some rootkits can contain limits for how
they respond to requests based on src IP address. Local inspection with
pure/untrojaned lsof is often better. (Of course, with lsof being so
useful, agressive computer criminals might trojan this and other tools.)
Many exploits will leave behind scripts designed to elevate local non-root
users to root. Examining the published exploits for results and then
tracking the results on your box may help you with this process.
Again, without log files, you are in a tough position. I'd like to hear
about what you find in your examinations of services, service service
versions and if any services show up as running even though you did not
start them.
There was another tool that was originally published as "The Grave Robbers
Tool Kit" but was published under another name. It was a tool for helping
to perform post mortem on b0rken systems. Dan Farmer of SATAN fame and
Weitise Venma of tcp wrappers, etc fame worked on thisproject ages ago.
Not sure it is is still maintained, and I dont recall the new name it was
given.
Was it "The Coroner's TooKit" ? Hmm I can't recall. GRTK is what they
called it at the demo in New York many years back, and that is the name I
remembered....
You may be able to used GRTK from an external media/disk to decrease lost
data as a result of overwriting "freed" space on your disk.
HTH,
-ME